Date: Mon, 24 Jan 2000 15:18:25 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@freebsd.org Subject: more complete ipfw rules Message-ID: <3.0.5.32.20000124151825.01c3d100@staff.sentex.ca>
next in thread | raw e-mail | index | archive | help
With all the recent talk of flooding etc, I decided to go over my ipfw
rules on my two border routers to a) make sure I am not letting in things I
dont need, and b) to be a good net citizen and not allow source addresses
to leave my network that dont belong here.
With ${oif} being my outside interface,
I had been using that stuff in
# Stop RFC1918 nets on the outside interface
But what about multicast addresses ? I am not running any multicast
applications. Should there not also be
$fwcmd add deny all from 224.0.0.0/8 to any via ${oif}
and I was also wondering about
$fwcmd add deny all from 0.0.0.0/8 to any via ${oif}
$fwcmd add deny all from 255.0.0.0/8 to any via ${oif}
and I dont want outside connections with a source address of the loopback
$fwcmd add deny all from 127.0.0.0/8 to any in recv ${oif}
but I am not sure if this will do what I want it to do. Are there any
others ? What about icmp? Just redirects ?
---Mike
------------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administrator, mike@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20000124151825.01c3d100>